Date: Tue, 27 Feb 2001 20:21:45 -0800 From: Steve Reid <sreid@sea-to-sky.net> To: Brooks Davis <brooks@one-eyed-alien.net> Cc: Rob Simmons <rsimmons@wlcg.com>, George.Giles@mcmail.vanderbilt.edu, freebsd-security@FreeBSD.ORG Subject: Re: ftp access Message-ID: <20010227202145.A31471@grok.bc.hsia.telus.net> In-Reply-To: <20010227145512.A13920@Odin.AC.HMC.Edu>; from Brooks Davis on Tue, Feb 27, 2001 at 02:55:12PM -0800 References: <OFF1AB3DF2.EE5F05B7-ON86256A00.007ADD5A@MC.VANDERBILT.EDU> <Pine.BSF.4.33.0102271738250.82118-100000@mail.wlcg.com> <20010227145512.A13920@Odin.AC.HMC.Edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Feb 27, 2001 at 02:55:12PM -0800, Brooks Davis wrote: > If you do this be sure to keep users from being able to access the system > via ssh. Otherwise they can just use ssh to spawn a shell for themselves: > ssh -t <host> /bin/sh Are you certain about this? I tried this on a 4.1.1-R box I operate and it didn't let me in. The box is set up with the ftp login shell set to "/nonexistent/ftponly", which is listed in /etc/shells but does not exist. I suspect sshd is trying to use the login shell to execute the supplied command, which will fail if the login shell doesn't exist. Either I'm not doing it right, or other ssh/sshd combinations are different, or you're wrong about it being possible. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010227202145.A31471>